FileCOPA FTP Server directory traversal

filecopa-ftp-directory-traversal (24257) The risk level is classified as MediumMedium Risk

Description:

FileCOPA FTP Server could allow a remote attacker to traverse directories on the FTP server. A remote attacker, with valid FTP authentication credentials, could send a specially-crafted STOR or RETR command to the FTP server to traverse directories and view arbitrary files outside of the FTP home directory.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of FileCOPA FTP Server (2.02 or later), available from the FileCOPA FTP Server Web site. FileCOPA version 1.01 fixed this vulnerability, but is no longer available from the company. See References.

References:

  • FileCOPA Web site: FTP Server Download Free Trial - FileCOPA.
  • Network Intelligence Security Advisory 19th January 2006: FileCopa FTP Directory Traversal Vulnerability.
  • BID-16335: Intervations FileCopa FTP Server Directory Traversal Vulnerability
  • BID-40312: FileCOPA FTP Server Directory Traversal Vulnerability
  • CVE-2006-0344: Directory traversal vulnerability in Intervations FileCOPA FTP Server 1.01 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the (1) STOR and (2) RETR commands.
  • OSVDB ID: 22694: FileCOPA FTP Server Traversal Arbitrary File Access
  • SA18550: FileCOPA FTP Server Directory Traversal Vulnerability
  • SA39843: FileCOPA Directory Traversal Vulnerability
  • VUPEN/ADV-2006-0285: FileCOPA STOR and RETR Commands Directory Traversal Vulnerability

Platforms Affected:

  • InterVations FileCOPA FTP Server 1.01

Reported:

Jan 19, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page